WindTalker: Stealing mobile PINs through the WiFi signal

An adversary "can exploit the strong correlation between CSI fluctuation and keystrokes to infer the user’s number input," the researchers say.

Security researchers have discovered a way to use WiFi to eavesdrop on passwords and other sensitive data as they’re being entered onto a mobile phone touch screen — without requiring sight of the device or even the user.

“WindTalker,” as the scientists have dubbed their attack, works by inferring a password or PIN from WiFi interference caused by the user’s hand as it moves across the screen. It can be run against anyone using a WiFi connection controlled by the attacker and renders any encryption the target is employing irrelevant.

In a recent academic presentation, the researchers explained that WindTalker works because different “keystrokes on mobile devices will lead to different hand coverage and finger motions, which will introduce a unique interference to the [WiFi] signals and can be reflected by the channel state information,” or CSI. CSI is a comprehensive picture of the way a signal is propagated from the transmitter to the receiver.

“The adversary can exploit the strong correlation between the CSI fluctuation and the keystrokes to infer the user’s number input,” the researchers say.


WindTalker is not the first hack that uses collateral information inadvertently broadcast by devices or users to infer sensitive data.  Known as “side-channel” attacks, such methods have been demonstrated repeatedly by academics and other researchers.

But WindTalker is the first CSI side-channel attack that doesn’t require either a device being compromised or any special hardware.

Instead, the CSI data is collected by a public WiFi network, “which is easy-to-deploy and difficult-to-detect.”

Moreover, the system devised by academics analyzes the public WiFi traffic alongside the CSI data — making it possible to perform the most challenging part of the hack — inferring the hand movements and the keyboard input — “only for the sensitive [time] period where password-entering occurs.”

The researchers say they carried out “a detailed case study to evaluate the practicality of the password inference” using Alibaba’s Alipay, the largest mobile payment platform in the world.


“The evaluation results show that the attacker can recover the key with a high successful rate,” the researchers conclude.

The study: “When CSI Meets Public WiFi: Inferring Your Mobile Phone Password via WiFi Signals,” was presented Oct. 24 at the Association for Computing Machinery’s 23rd annual Conference on Computer and Communications Security in Vienna, Austria.

Shaun Waterman

Written by Shaun Waterman

Contact the reporter on this story via email, or follow him on Twitter @WatermanReports. Subscribe to CyberScoop to get all the cybersecurity news you need in your inbox every day at

Latest Podcasts